What the C-suite can learn from the Marriott/Starwood megabreach

I have three words important in any potential acquisition: Cybersecurity due diligence

Many of you may be wondering how a major, multi-billion dollar organisation can find itself without sufficient cybersecurity in place to detect the theft of hundreds of millions of customer details?

One problem with cyberattacks is that they are intentionally designed to go unnoticed for as long as possible. Cybersecurity professionals refer to this as the dwell time; the interval between when intruders first gain unauthorised access and when they are detected and expunged. The longer an attack can remain undetected, the greater the value the attacker can strip from the target.

There are many statistics about just how long it takes to detect an intrusion, but the hard truth is that these statistics are skewed by the fact that many intrusions never get uncovered. From the intrusions that are discovered, it is clear that such incursions (known as advanced persistent threats) regularly take months to discover and, in numerous cases, such as the Yahoo breach, the dwell time can be measured in years.

In the case of the recently publicised Marriott/Starwood breach, Marriott appears to have effectively “purchased” the breach. Just like contact with an infected person can spread a disease, integrating a compromised system effectively delivers new opportunities for an attacker to widen the intrusion. When Marriott acquired Starwood and integrated its database, the unwelcome passenger was not initially detected.

Credit: Reuters

The real question is this: could the intrusion have been detected earlier?

Although the specific mechanics of this breach have not yet been revealed, it is possible to look back at similar megabreaches. What they reveal is that stealing hundreds of millions of customer details is not a minor data leak. There will have been signs (or as cybersecurity professionals like to call them, “indicators of compromise”). There would also have been defensive processes and technologies that could have been in place.

Many companies are still underestimating the budget and resources needed to operate cybersecurity effectively. In my opinion, such organisations also underestimate the brand and share value damage that cyberattacks can create.

If I were a Marriott shareholder, I might be wondering just how much of a discount could have been achieved if the pre-purchase due diligence checks on Starwood had found the breach before the acquisition was made … and then I might be wondering just how much this breach will end up costing, and whether the current management had been spending enough on cybersecurity.

Simply having a cybersecurity function is not enough. It is important that each organisation is investing in keeping its security personnel, technologies and process up to date.

From my own perspective, the complaint I hear most often from fellow ISACA members is that their organisations spread security resources too thinly and fail to recognise just how important it is to adequately invest in staff training and new security technologies to keep pace with evolving threats.

If you run or influence the cybersecurity approach in any organisation, here are some hard-won tips to help you avoid being caught out by a megabreach:

Independently audit the cybersecurity function at least annually

Although there are more than 100,000 CISA-certified information security auditors, it is surprising that quite often our certified professionals find they are not asked to inspect and provide information about the most significant gaps that are in place – to audit the cybersecurity function itself.

One of the challenges can be that if the auditors report to the function they are inspecting, delivering objective results can be a challenge, if not a career-limiting move! A regular independent audit of the overall cybersecurity function can provide valuable insights into what gaps exist and how many of them there are. It can also help with the next point.

Don’t skimp on the cybersecurity budget

The cybercriminals are evolving their techniques extremely quickly. To keep pace, cybersecurity professionals need to constantly evolve their skills and acquire new tools.

If you starve your security function of funds or training opportunities, the result is that your organisational risk increases.

When faced with any challenges from the C-suite about budget, my usual response is this: no executive wants to tell the press or shareholders that he or she was trying to economise on the security budget.

When faced with any challenges from the C-suite about budget, my usual response is this: no executive wants to tell the press or shareholders that he or she was trying to economise on the security budget

Raef Meeuwisse, ISACA

Value for money is an important measure, but failing to put a required defence in place is not something the press or stakeholders forgive.

Think beyond the network

It may seem obvious that most of the breaches now involve attacks through suppliers, cloud platforms and mobile devices – but wherever your organisation finds it hardest to implement security is the ideal place for an attacker to begin his or her attack.

... And finally, I have three words important in any potential acquisition: Cybersecurity due diligence.

Before you purchase or choose to merge with any new organisation, get a professional review of the organisation’s cybersecurity status. Although companies are reluctant to allow deep inspections, even a basic and “light” inspection over a matter of a few days where the recipients are less than cooperative reveal eye-watering and price-reducing results.

The more resistant an organisation is to an inspection, the higher the probability that it knows it has substantial problems to resolve – and that will cost time and money.

Raef Meeuwisse, CISM, CISA, ISACA is an expert speaker and author of Cybersecurity for Beginners

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.